The TokenDivider
contract allows for the fractionalization of NFTs into ERC20 tokens via the divideNft
function. However, the current implementation of ERC20ToGenerateNftFraccion
allows arbitrary minting of ERC20 tokens by any user, which creates severe security vulnerabilities. It also allows direct burning of the generated ERC20 tokens, which can lead to state corruption between the TokenDivider
contract and the ERC20ToGenerateNftFraccion
contract.
Unrestricted ERC20 Minting:
The mint
function in ERC20ToGenerateNftFraccion
is publicly accessible, allowing any user to mint an arbitrary number of tokens.
Malicious users can mint tokens outside the marketplace’s control, leading to discrepancies between the marketplace's balances
mapping and the actual ERC20 token supply.
Unrestricted Burning:
Users can directly burn their ERC20 tokens via the burn
function, bypassing the TokenDivider
contract. This disrupts the marketplace’s internal accounting and can result in state corruption.
Unintended Burnings:
A user might accidentally burn their fractionalized tokens using the burn
function provided by ERC20ToGenerateNftFraccion
, resulting in the permanent loss of these tokens.
This accidental burning could render it impossible for a legitimate user to reclaim the NFT, as the required token balance may no longer be available.
The marketplace contract does not currently prevent or account for such unintended burns, leading to potential loss of assets and user dissatisfaction.
Token Balance Discrepancy:
The TokenDivider
relies on its balances
mapping to track ownership, but this mapping does not reflect unauthorized minting or burning in the ERC20 contract. This creates a mismatch that malicious users can exploit to manipulate the marketplace or defraud buyers.
NFT Reclamation Exploitation:
A malicious user can mint tokens, sell or transfer them, and later reclaim the NFT by burning only the original required number of tokens. This undermines the marketplace’s security and integrity.
Loss of Buyer Funds:
Buyers may lose funds by purchasing fraudulent ERC20 tokens with no underlying NFT value.
Marketplace State Corruption:
The marketplace’s internal state (balances
) can be rendered inaccurate, causing operational and trust issues.
Reputation Damage:
The marketplace loses credibility, leading to a decrease in user trust and participation.
Potential Exploits:
Malicious actors could exploit this flaw to sell fraudulent tokens repeatedly, draining buyers' funds and disrupting the marketplace.
ERC20ToGenerateNftFraccion
ContractRestrict minting and burning of ERC20 tokens to the TokenDivider
contract:
And in the divideNft
function in the TokenDivider
contract:
Any person can mint the ERC20 token generated in representation of the NFT
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.